Friday, April 4, 2014

OpenAppID Application Rules

In my last post I showed how to get the latest version of Snort up and running in order to explore our latest feature - OpenAppID. Here at Cisco we’ve released application detection as open source.

But the next part of application identification is application control.

The addition of OpenAppID also adds a new keyword to the Snort rules language. The appid keyword can be embedded in any rule to match only on traffic already identified as a specific application.

This can be used to more easily write rules for a specific application. In some cases you can rely solely on the appid keyword instead of a series of flowbits to identify a specific protocol or application. The appid keyword can also be used to alert on and control application usage.

For example, maybe you are easily distracted and need some help staying focusing. To this end, Facebook and Reddit should be blocked.

The first step is to confirm the correct appid names used for these sites. For this we must check the appMapping.data file. The seventh column of this file has the short app name that we need for our rule.

$ grep -i reddit appMapping.data |cut -f7

reddit

Now that I know the application name I can write my rule.

alert tcp any any -> any any (msg:”Too much noise”; appid: facebook reddit; sid:1000000; rev:1)

In order to confirm you have the correct appid name, search through the appMapping.data file.

Now let’s test the new rule. I reloaded my web browser and tried Reddit.

Also packaged in the tools subdirectory in the Snort source package is a program called u2spewfoo, which will all you to convert the unified2 binary alerts to readable text. This time we will examine the usual Snort log for rules that have alerted, instead of the application statistics file we looked at before.

In addition to the usual data (source IP address, time, protocol, etc.) you will see the new appid field is listed in this event.

While not new to this version of Snort, I think it’s worth pointing out the two extra data fields that show us the HTTP URI and hostname. If you’ve been relying on some older tools to parse your unified data for you, you may not know that this data is available.

Now all I have to do is change my rule from alert to drop and reload Snort and I’ll have a better chance at avoiding distraction!

Happy Snorting! Let us know in the comments how you’re using the latest visibility and control into the application layer.